Oracle Blog

when you find the need to go beyond documentation..

XACML - Declarative Access Control

Web applications need access control. I'm not gonna justify that fact. All web applications have the ability where you can restrict access to the resources that reside on it by simply modifying the deployment descriptors (web.xml). This method is called declarative security or declarative access control. Well, but does this really suffice ?

Support for XACML allows our customers to share access control policies across corporate boundaries and offers more dynamic standards-based tools for creating federated mashups. As a result, our customers can continue to expand their business reach while using open-standards to enforce security decisions and minimize security risk.

Please Note: This is NOT sunxacml. sunxacml is implementation of XACML 2.0 specifications from sun labs. This does not have support for SAML2.0 profile of XACML 2.0 and is not part of OpenSSO.

OpenSSO XACML implements SAML2.0 Profile of XACML2.0 - supporting XACMLAuthzDecisionQuery and XACMLAuthzDecisionStatement. PEP makes XAML2.0/SAML2.0/SOAP request to PDP and gets response. The OpenSSO XACML client sample is a remote client library that could be used by an application to make XACML calls to PDP.

The returned XACMLAuthzDecisionStatement has XACML Response, Result, Decision and so forth. The OpenSSO XACML implementation leverages SAML2.0 capability of OpenSSO to manage SAML2 metadata of PDP and PEP and exchange SAML messages.

Here's a simple 5 step guide to running the XACML client and testing it with opensso.

get the OpenSSO.zip, extract and get the opensso-client.zip under samples directory